Home » ZyXEL Manuals » Networking » ZyXEL VSG1432-B101 » Manual Viewer

ZyXEL VSG1432-B101 User Guide - Page 260

Negotiation Mode, IPSec and NAT

Get ZyXEL VSG1432-B101 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 260 highlights

Chapter 21 IPSec 21.4.4 Negotiation Mode The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be established for each connection through IKE negotiations. • Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode features identity protection (your identity is not revealed in the negotiation). • Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication (phase 1). However the trade-off is that faster speed limits its negotiating power and it also does not provide identity protection. It is useful in remote access situations where the address of the initiator is not know by the responder and both parties want to use pre-shared key authentication. 21.4.5 IPSec and NAT Read this section if you are running IPSec on a host computer behind the ZyXEL Device. NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that the data has been maliciously altered. IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. 260 VSG1432-B101 Series User's Guide

Section	Page
VSG1432-B101 Series	1
About This User's Guide	3
Document Conventions	5
Safety Warnings	7
Contents Overview	9
Table of Contents	11
User’s Guide	21
Introducing the VSG1432-B101	23
1.1 Overview	23
1.2 Ways to Manage the ZyXEL Device	23
1.3 Good Habits for Managing the ZyXEL Device	23
1.4 Applications for the ZyXEL Device	24
1.4.1 Internet Access	24
1.4.2 ZyXEL Device’s USB Support	25
1.5 Hardware Setup	26
1.6 Hardware Connections	28
1.7 LEDs (Lights)	29
1.8 The RESET Button	31
1.9 Wireless Access	31
1.9.1 Using the WLAN/WPS Button	31
The Web Configurator	33
2.1 Overview	33
2.1.1 Accessing the Web Configurator	33
2.2 Web Configurator Layout	36
2.2.1 Title Bar	36
2.2.2 Main Window	37
2.2.3 Navigation Panel	37
Quick Start	41
3.1 Overview	41
3.2 Quick Start Setup	41
Tutorials	43
4.1 Overview	43
4.2 Setting Up an ADSL PPPoE Connection	43
4.3 Setting Up a Secure Wireless Network	46
4.3.1 Configuring the Wireless Network Settings	46
4.3.2 Using WPS	48
4.3.3 Without WPS	52
4.4 Setting Up Multiple Wireless Groups	53
4.5 Setting Up NAT Port Forwarding	56
4.6 Configuring Static Route for Routing to Another Network	58
4.7 Configuring QoS Queue and Class Setup	60
4.8 Access the ZyXEL Device Using DDNS	63
4.8.1 Registering a DDNS Account on www.dyndns.org	64
4.8.2 Configuring DDNS on Your ZyXEL Device	64
4.8.3 Testing the DDNS Setting	65
4.9 Access Your Shared Files From a Computer	65
Technical Reference	67
Network Map and Status Screens	69
5.1 Overview	69
5.2 The Network Map Screen	69
5.3 The Status Screen	71
Broadband	75
6.1 Overview	75
6.1.1 What You Need to Know	75
6.1.2 Before You Begin	76
6.2 The Broadband Screen	77
6.2.1 Add/Edit Broadband	78
6.2.2 PPPoE Encapsulation	78
6.3 Technical Reference	86
6.3.1 Encapsulation	86
6.3.2 Multiplexing	87
6.3.3 VPI and VCI	87
6.3.4 IP Address Assignment	87
6.3.5 NAT	88
6.3.6 Traffic Shaping	88
6.3.7 ATM Traffic Classes	89
6.3.8 Introduction to VLANs	89
Wireless	91
7.1 Overview	91
7.1.1 What You Can Do in this Chapter	91
7.1.2 What You Need to Know	92
7.2 The General Screen	92
7.2.1 No Security	95
7.2.2 Basic (WEP Encryption)	96
7.2.3 More Secure (WPA(2)-PSK)	98
7.2.4 WPA(2) Authentication	99
7.3 The More AP Screen	101
7.3.1 Edit More AP	102
7.4 MAC Authentication	103
7.5 The WPS Screen	105
7.6 The WMM Screen	106
7.7 The WDS Screen	107
7.7.1 WDS Scan	109
7.8 The Others Screen	110
7.9 Technical Reference	111
7.9.1 Wireless Network Overview	111
7.9.2 Additional Wireless Terms	113
7.9.3 Wireless Security Overview	114
7.9.4 Signal Problems	117
7.9.5 BSS	117
7.9.6 MBSSID	118
7.9.7 Preamble Type	119
7.9.8 Wireless Distribution System (WDS)	119
7.9.9 WiFi Protected Setup (WPS)	120
Home Networking	127
8.1 Overview	127
8.1.1 What You Can Do in this Chapter	127
8.1.2 What You Need To Know	128
8.1.3 Before You Begin	129
8.2 The LAN Setup Screen	130
8.3 The Static DHCP Screen	132
8.4 The UPnP Screen	133
8.5 Installing UPnP in Windows Example	134
8.6 Using UPnP in Windows XP Example	137
8.7 Technical Reference	142
8.7.1 LANs, WANs and the ZyXEL Device	143
8.7.2 DHCP Setup	143
8.7.3 DNS Server Addresses	143
8.7.4 LAN TCP/IP	144
Static Routing	147
9.1 Overview	147
9.2 The Routing Screen	148
9.2.1 Add/Edit Static Route	149
Quality of Service (QoS)	151
10.1 Overview	151
10.1.1 What You Can Do in this Chapter	151
10.2 What You Need to Know	152
10.3 The Quality of Service General Screen	153
10.4 The Queue Setup Screen	154
10.4.1 Adding a QoS Queue	156
10.5 The Class Setup Screen	157
10.5.1 Add/Edit QoS Class	159
10.6 The QoS Policer Setup Screen	163
10.6.1 Add/Edit a QoS Policer	164
10.7 The QoS Monitor Screen	165
10.8 Technical Reference	166
Policy Forwarding	171
11.1 Overview	171
11.2 The Policy Forwarding Screen	171
11.2.1 Add/Edit Policy Forwarding	172
Network Address Translation (NAT)	175
12.1 Overview	175
12.1.1 What You Can Do in this Chapter	175
12.1.2 What You Need To Know	175
12.2 The Port Forwarding Screen	176
12.2.1 Add/Edit Port Forwarding	178
12.3 The Applications Screen	179
12.3.1 Add New Application	180
12.4 The Port Triggering Screen	181
12.4.1 Add/Edit Port Triggering Rule	183
12.5 The DMZ Screen	185
12.6 The ALG Screen	186
12.7 The Sessions Screen	186
12.8 Technical Reference	187
12.8.1 NAT Definitions	187
12.8.2 What NAT Does	188
12.8.3 How NAT Works	189
12.8.4 NAT Application	190
Dynamic DNS Setup	193
13.1 Overview	193
13.1.1 What You Can Do in this Chapter	194
13.1.2 What You Need To Know	194
13.2 The DNS Entry Screen	195
13.2.1 Add/Edit DNS Entry	196
13.3 The Dynamic DNS Screen	196
IGMP	199
14.1 Overview	199
14.1.1 What You Can Do in this Chapter	199
14.1.2 What You Need to Know	199
14.2 The IGMP General Screen	202
14.3 IGMP Filter Configuration	204
14.3.1 IGMP Host Limitation Edit	206
14.3.2 IGMP Service Add	207
14.3.3 IGMP Host Limitation Add	208
14.4 IGMP ACL Configuration	209
14.4.1 IGMP ACL Add	210
Interface Group	211
15.1 Overview	211
15.1.1 What You Can Do in this Chapter	211
15.2 The Interface Group Screen	211
15.2.1 Interface Group Configuration	213
Firewall	215
16.1 Overview	215
16.1.1 What You Can Do in this Chapter	215
16.1.2 What You Need to Know	216
16.2 The Firewall Screen	217
16.3 The Protocol Screen	217
16.3.1 Add a Protocol	219
16.4 The Access Control Screen	220
16.4.1 Add/Edit an ACL Rule	222
MAC Filter	225
17.1 Overview	225
17.2 The MAC Filter Screen	225
Parental Control	227
18.1 Overview	227
18.2 The Parental Control Screen	227
18.2.1 Add/Edit Parental Control Rule	228
Scheduler Rules	231
19.1 Overview	231
19.2 The Scheduler Rules Screen	231
19.2.1 Add/Edit a Schedule	232
Certificates	233
20.1 Overview	233
20.1.1 What You Can Do in this Chapter	233
20.2 What You Need to Know	233
20.3 The Local Certificates Screen	234
20.3.1 Create Certificate Request	235
20.3.2 Load Signed Certificate	236
20.3.3 Import Certificate	237
20.3.4 Certificate Details	239
20.4 The Trusted CA Screen	241
20.4.1 View Trusted CA Certificate	242
20.4.2 Import Trusted CA Certificate	243
IPSec	245
21.1 Overview	245
21.1.1 What You Can Do in this Chapter	245
21.1.2 What You Need to Know	246
21.2 The IPSec Status Screen	247
21.3 The IPSec Settings Screen	248
21.3.1 Add/Edit IPSec Setting	249
21.3.2 Configuring Manual Key	254
21.4 Technical Reference	256
21.4.1 IPSec Architecture	257
21.4.2 Encapsulation	258
21.4.3 IKE Phases	259
21.4.4 Negotiation Mode	260
21.4.5 IPSec and NAT	260
21.4.6 VPN, NAT, and NAT Traversal	261
21.4.7 ID Type and Content	262
21.4.8 Pre-Shared Key	263
21.4.9 Diffie-Hellman (DH) Key Groups	264
Service Control	265
22.1 Overview	265
22.2 The Service Control Screen	265
ARP Table	267
23.1 Overview	267
23.1.1 How ARP Works	267
23.2 ARP Table Screen	268
Logs	269
24.1 Overview	269
24.1.1 What You Can Do in this Chapter	269
24.1.2 What You Need To Know	269
24.2 The System Log Screen	270
24.3 The Security Log Screen	271
Traffic Status	273
25.1 Overview	273
25.1.1 What You Can Do in this Chapter	273
25.2 The WAN Status Screen	274
25.3 The LAN Status Screen	276
IGMP Status	279
26.1 Overview	279
26.1.1 What You Can Do in this Chapter	279
26.2 The IGMP Group Screen	279
26.3 IGMP Statistics Screen	280
Users Configuration	283
27.1 Overview	283
27.2 The Users Configuration Screen	283
27.2.1 Add/Edit a Users Account	285
Remote Management	287
28.1 Overview	287
28.1.1 What You Can Do in this Chapter	287
28.2 The TR-069 Clients Screen	287
28.3 The TR-064 Screen	289
Time Settings	291
29.1 Overview	291
29.2 The Time Setting Screen	291
Logs Setting	295
30.1 Overview	295
30.2 The Log Settings Screen	295
30.2.1 Example E-mail Log	297
Firmware Upgrade	299
31.1 Overview	299
31.2 The Firmware Screen	299
Configuration	301
32.1 Overview	301
32.2 The Configuration Screen	301
32.3 The Reboot Screen	304
Diagnostic	305
33.1 Overview	305
33.2 The Diagnostic Screen	305
Troubleshooting	307
34.1 Power, Hardware Connections, and LEDs	307
34.2 ZyXEL Device Access and Login	308
34.3 Internet Access	310
34.4 Wireless Internet Access	312
Product Specifications	315
35.1 Hardware Specifications	315
35.2 Firmware Specifications	316
Setting up Your Computer’s IP Address	321
IP Addresses and Subnetting	345
Pop-up Windows, JavaScripts and Java Permissions	355
Wireless LANs	365
Services	381
Open Software Announcements	385
Legal Information	397

Match case Limit results 1 per page

Chapter 21 IPSec

VSG1432-B101 Series User’s Guide

260

21.4.4

Negotiation Mode

The phase 1

Negotiation Mode

you select determines how the Security

Association (SA) will be established for each connection through IKE negotiations.

•

Main Mode

ensures the highest level of security when the communicating

parties are negotiating authentication (phase 1). It uses 6 messages in three

round trips: SA negotiation, Diffie-Hellman exchange and an exchange of

nonces (a nonce is a random number). This mode features identity protection

(your identity is not revealed in the negotiation).

•

Aggressive Mode

is quicker than

Main Mode

because it eliminates several

steps when the communicating parties are negotiating authentication (phase 1).

However the trade-off is that faster speed limits its negotiating power and it also

does not provide identity protection. It is useful in remote access situations

where the address of the initiator is not know by the responder and both parties

want to use pre-shared key authentication.

21.4.5

IPSec and NAT

Read this section if you are running IPSec on a host computer behind the ZyXEL

Device.

NAT is incompatible with the

protocol in both

Transport

and

Tunnel

mode.

An IPSec VPN using the

protocol digitally signs the outbound packet, both data

payload and headers, with a hash value appended to the packet. When using

protocol, packet contents (the data payload) are not encrypted.

A NAT device in between the IPSec endpoints will rewrite either the source or

destination address with one of its own choosing. The VPN device at the receiving

end will verify the integrity of the incoming packet by computing its own hash

value, and complain that the hash value appended to the received packet doesn't

match. The VPN device at the receiving end doesn't know about the NAT in the

middle, so it assumes that the data has been maliciously altered.

IPSec using

ESP

Tunnel

mode encapsulates the entire original packet

(including headers) in a new IP packet. The new IP packet's source address is the

outbound address of the sending VPN gateway, and its destination address is the

inbound address of the VPN device at the receiving end. When using

ESP

protocol

with authentication, the packet contents (in this case, the entire original packet)

are encrypted. The encrypted contents, but not the new headers, are signed with

a hash value appended to the packet.

Tunnel

mode

ESP

with authentication is compatible with NAT because integrity

checks are performed over the combination of the "original header plus original

payload," which is unchanged by a NAT device.